Shibboleth Developers

["Scott Cantor" <>]

> - Since a WAYF is essentially a proxy for the SP, why MUST a WAYF
> support IdP Discovery?  Shouldn't this be OPTIONAL (just like the SP)?

WAYFs are intrinsically about IdP discovery. Not implementing the profile
would be a needless limitation.

SPs may not use a WAYF at all (many in fact) because they address the
problem themselves, usually because the list of business partners is smaller
than the list of trusted IdPs.

SP implementations are likely to be influenced by the application
environment, and sometimes discovery won't be an issue. It's arguable
whether that consideration is enough to make the profile OPTIONAL, but
that's why it's a draft.

> - If the IdP Discovery profile is optional, why is the IdP required to
> support it?

Optional for one role doesn't mean it has to be optional for another. IdPs
implementations should support configuration of a common domain URL and a
mechanism to set the cookie after authentication.

> Indeed, if IdP Discovery is not implemented, then
> presumably there is no common domain and therefore no common domain
> server for the IdP to interact with.  So, in what sense MUST the IdP
> support IdP Discovery?

I think you're confusing deployment with conformance. Mandatory to implement
does not mean mandatory to use.

-- Scott